What does triage have to do with negligence?
Hi! I said last time that we were gonna talk about TRIAGE.
So was it negligence if you left someone in the emergency room bleeding from a bad cut?
Well, suppose you had triaged that person, and determined they were gonna be fine. They would live – they were hurting but they would live – and you prioritized dealing with a much more time-critical injury, someone who only had 30 minutes left on the clock. Of course that’s not negligence. That is appropriate prioritization.
Is it negligence if you left servers unpatched? Well, not if they didn’t have any sensitive data and you were prioritizing patching more important servers.
triage is really prioritization
If an emergency popped up and you decided to temporarily not follow the rules in order to deal with something much more important, that’s not negligence, thats good judgement.
With security, deciding not to implement some security controls that are too expensive is another example of prioritization. Unlike in a medical situtation, in business when you are prioritizing risk, security, opportunity - you measure that in money.
But risk and security and opportunity is super vague. We can’t really know what a security breach is going to cost or if something bad is going to happen this year. Maybe there is a 50% chance, maybe there is a 90% chance something bad is going to happen.
How can we actually quantify that, how can you define a business case around something so vague? In the next series, I’m going to walk through a set of skills that are necessary for doing a good job of risk analysis.
Can you do me a favor that doesn’t cost anything? Hit reply and let me know which one of these do you see used most often.
what units do you see used to measure and visualize the results of risk analysis?
- Categories (high / medium / low)
- Severity 1-5, Impact 1-5, multiply together for a score, show in a heatmap
- An estimated dollar amount
- A probability distribution of annualized loss.